Privacy Policy
1 Data We Collect
We collect only the minimum data necessary to operate the Game and provide a safe, functional service. The categories of personal data we process are:
| Data Category | Examples | Purpose |
|---|---|---|
| Account Data | Email address, username, password hash, race selection, account creation date | Account creation, authentication, and recovery |
| IP Address | Your internet IP address at login and during sessions | Security, fraud detection, rate limiting, abuse prevention |
| Gameplay Data | Character stats, level, inventory, quest progress, combat logs, clan membership, in-game actions | Game state management, balance, leaderboards |
| Session Data | Session tokens, last login timestamp, browser type (User-Agent) | Maintaining authenticated sessions, security |
| Chat & User Content | In-game chat messages, clan messages, public posts | Game functionality, moderation, abuse prevention |
We do not collect payment card data, real-name information, physical addresses, or any sensitive special-category data as defined under GDPR Art. 9.
2 How We Use Data
We use collected data for the following purposes:
- Service Operation: To create and maintain your account, save your game progress, and deliver core game functionality.
- Authentication & Security: To verify your identity at login, detect unauthorized access, and protect accounts from compromise.
- Abuse Prevention: To detect cheating, botting, multi-accounting, and other violations of our Terms of Service.
- Communication: To send essential service emails (account confirmation, password reset, significant policy updates). We do not send marketing emails without explicit opt-in consent.
- Game Balancing & Analytics: Aggregated, anonymized gameplay data is analyzed to improve game balance, fix bugs, and develop new features. This analysis does not involve individual profiling.
- Moderation: To review reported content and enforce community standards and our Terms of Service.
- Legal Compliance: To meet obligations under applicable law, including GDPR, and to respond to lawful requests from authorities.
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.
3 Legal Basis (GDPR Art. 6)
Under the GDPR, we rely on the following lawful bases for processing your personal data:
- Art. 6(1)(b) — Contract: Processing your account data, gameplay data, and session data is necessary to perform the contract of service you enter into when you register and use the Game.
- Art. 6(1)(f) — Legitimate Interests: Processing IP addresses and security logs to prevent fraud, abuse, and unauthorized access is in our legitimate interest and that of our player community, provided such interests are not overridden by your fundamental rights.
- Art. 6(1)(c) — Legal Obligation: In limited circumstances, we may need to process or retain data to comply with a legal obligation, such as responding to a court order.
- Art. 6(1)(a) — Consent: Where we send optional communications (e.g., newsletters or promotional updates), we will ask for your explicit prior consent, which you may withdraw at any time.
4 Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy, or as required by law:
- Active Account Data: Retained for the lifetime of your account.
- Inactive Accounts: Accounts with no login activity for 12 months will be flagged and notified by email. Following 30 days without response, the account and its associated data will be scheduled for deletion.
- Security Logs (IP, session): Retained for 90 days for security and abuse-detection purposes, then automatically deleted.
- Chat & Moderation Logs: Retained for 6 months, or longer where needed as evidence in an ongoing moderation or legal dispute.
- Deleted Accounts: Upon account deletion, personal data is purged within 30 days from our production systems and within 90 days from backups.
Anonymized, aggregated data that cannot be used to identify any individual may be retained indefinitely for statistical and game development purposes.
5 Your Rights (GDPR)
Under the GDPR, you have the following rights with respect to your personal data. You may exercise any of these rights by contacting us at privacy@duskmaw.com.
We will respond to all rights requests within 30 days. If your request is complex or numerous, this may be extended by a further 60 days with prior notice. We will not charge a fee for reasonable requests.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your national supervisory authority. In the EU, a list of authorities is available at: edpb.europa.eu.
6 Cookies
We use a minimal cookie policy designed to respect your privacy:
- Session Cookie: A single, strictly necessary session cookie is set upon login to maintain your authenticated session. This cookie is deleted when you log out or close your browser session. It contains no personally identifying information beyond a secure, random session token.
- No Third-Party Tracking Cookies: We do not use any advertising, analytics, or social media tracking cookies. We do not integrate with Google Analytics, Facebook Pixel, or similar tracking services.
- LocalStorage: The Game uses browser LocalStorage for client-side preferences (e.g., UI settings) and PWA caching. This data is stored locally on your device and is not transmitted to our servers.
7 Third Parties
We do not sell, rent, or trade your personal data to any third party for commercial or marketing purposes. Data sharing is limited to the following essential service providers:
- Hetzner Online GmbH (Hosting): Our game servers and database are hosted on Hetzner infrastructure, located within the European Union (Germany). Hetzner acts as a data processor under a Data Processing Agreement (DPA) and processes data only on our instruction. Hetzner is GDPR-compliant. See: hetzner.com/legal/privacy-policy.
- Google Fonts: Cinzel and Crimson Pro fonts are loaded from Google Fonts CDN. This involves a request to Google servers that may log your IP address. Google Fonts data is governed by Google's Privacy Policy. To avoid this, you may use a browser extension to block font CDN requests — the Game remains fully functional with system fallback fonts.
- Transactional Email: If you request a password reset, a transactional email is sent via our email service provider. Email addresses are processed solely for delivery and not used for marketing.
- Payment Processors: When you purchase optional cosmetic Gem packages, payment data (card details, billing address) is processed directly by our PCI-DSS-compliant payment processor — we never see or store full card numbers. Which processor handles your transaction depends on your selected currency and country:
- Stripe Payments Europe, Ltd. (Ireland) — default processor for USD, EUR, PLN. Supports cards, Apple Pay, Google Pay, BLIK (PL), Przelewy24 (PL), SEPA, Bancontact, iDEAL. See: stripe.com/privacy.
- WayForPay LLC (Ukraine) — processor for UAH transactions. Supports cards, Приват24, Monobank, Apple Pay, Google Pay. See: wayforpay.com/uk/confidentiality.
- Pagar.me S.A. (Brazil) and MercadoPago (LatAm) — processors for BRL, MXN, ARS, COP, CLP transactions. Supports cards, PIX, Boleto, OXXO, PSE, Webpay. Activation per region.
We do not share data with law enforcement or government authorities except where required by a lawful order, court warrant, or applicable legal obligation. Where permitted, we will notify you of such requests.
8 Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration:
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS enforced site-wide).
- Password Hashing: Passwords are never stored in plain text. We use bcrypt hashing with a sufficient cost factor.
- Database Security: Our PostgreSQL database is not exposed to the public internet and is accessible only through secured, authenticated internal connections.
- Rate Limiting: Login endpoints and sensitive actions are rate-limited to prevent brute-force attacks.
- Access Control: Administrative access to production systems is restricted to authorized personnel using key-based authentication.
- Regular Backups: Database backups are taken regularly and stored securely to enable recovery from incidents.
In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected users without undue delay.
No system is completely secure. While we take strong precautions, we cannot guarantee the absolute security of data transmitted over the internet. You are responsible for keeping your account credentials confidential.
9 Children
Vampires vs. Werewolves is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13 years of age.
If you are under 13, you are not permitted to create an account or use the Service. If you are between 13 and 18, you must have the consent of a parent or legal guardian before registering.
If we discover that we have inadvertently collected personal data from a child under 13, we will take steps to delete that data promptly. If you believe a child under 13 has created an account, please contact us at privacy@duskmaw.com so we can investigate and remove the account.
Parents or guardians may request access to, correction of, or deletion of data belonging to a minor in their care by contacting us with appropriate verification.
10 Contact & Data Protection
For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us:
Email: privacy@duskmaw.com
Response time: within 30 days (GDPR-mandated)
General Support:
Email: support@duskmaw.com
Website: duskmaw.com
If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in your EU member state of residence. The European Data Protection Board maintains a list of national authorities at edpb.europa.eu.
This Privacy Policy was last updated on March 16, 2026. We will update this Policy as our data practices evolve or when required by law, and will notify users of material changes via in-game notice and email.